ADP SAML Single Sign-On (SSO)


The ADP Web application offers IdP-initiated SAML SSO for single sign-on access through the CyberArk Identity User Portal.

This SAML configuration can be used to federate any ADP application that supports SAML, such as ADP Vantage, iPay, etc. These apps are added to your users' User Portal using the linked applications feature. The Relay State provided during configuration of each linked application determines which ADP application the user accesses through the app. Some ADP applications are already configured for you. If you add additional ADP applications, you will need the relay state from ADP to deploy the applicaton. You can change the name, description, and icon of each linked application to visually differentiate them in your the Admin Portal and your users' User Portal.

Configuring this app in the Admin Portal for SSO requires contact with a representative from the service provider. The time it takes to configure this application varies depending on the service provider's response time.

ADP SSO Requirements

Before you configure the ADP web application for SSO, you need the following:

  • A registered CyberArk Identity account and at least one CyberArk Identity Connector installed on a Windows computer (if you use only the CyberArk Identity Directory as your identity store, you do not need to install the CyberArk Identity Connector).

  • An active ADP account for your organization.
  • A signed certificate.

    You can either download one from the Admin Portal or use your organization’s trusted certificate. If you use your own certificate, upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in the Admin Portal, and upload the public key certificate in a .cer or .pem file to the web application. See Choose a certificate file.

Configure ADP SSO

The following steps are specific to the ADP application and are required in order to enable SSO for ADP. For information on optional configuration settings available in the Idaptive the Admin Portal, see Configure optional application settings.

To configure ADP for SSO

  1. On the Trust page find the Identity Provider Configuration > Metadata section and copy the Federation Issuer Identifier.

    You will need to enter this value in ADP's questionnaire.

  2. On the Trust page in the Admin Portal, find the Identity Provider Configuration > Metadata section and click Download Metadata File.

    If you are using your own certificate, you must upload it before downloading the SAML metadata.

  3. Open a new browser tab and go to, then log in using your ADP account.

  4. Hover over Setup , then click Upload certificate.

  5. Select the Upload Metadate File option, then upload the Metadata file that you download from the Admin Portal.

    Each time you change your certificate file, you must download Metadata and upload the new file to ADP.
  6. On the Linked Applications page, add the ADP applications that you want to deploy.

    The following ADP applications are preconfigured with a relay state:

    • ADP Enterprise HR
    • ADP Vantage HCM
    • ADP Workforce Now
    • ADP Enhanced Time
    • MyADP

    The app called Linked App at the bottom of the list is a placeholder to add additonal ADP applications in the future. You will need ADP to provide the appropriate relay state.

    Refer to Add or delete linked applications for more information about linked applications.

  7. Save your changes in the Admin Portal

    Now that you have finished configuring the application settings in the Admin Portal and the ADP application, users are ready to launch ADP applications from the CyberArk Identity User Portal.

ADP Specifications

Each SAML application is different. The following table lists features and functionality specific to ADP.



Support details

Web browser client



Mobile client



SAML 2.0



SP-initiated SSO



IdP-initiated SSO



Force user login via SSO only



Separate administrator login
after SSO is enabled



User or Administrator lockout risk



Automatic user provisioning



Multiple User Types


SSO works the same way for all admin and non-admin user types.

Self-service password


Users can reset their own passwords. Resetting another user’s password requires administrator rights.

Access restriction using a corporate IP range


You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.